Crypto Politics

Last Updated: 24 February 2001

"I went to the store the other day to buy a bolt for our front door, for as I told the storekeeper, the governor was coming here. 'Aye,' said he, 'and the Legislature too.' 'Then I will take two bolts,' said I. He said that there had been a steady demand for bolts and locks of late, for our protectors were coming."

-
Henry David Thoreau

Historically, cryptography was for many years the exclusive domain of
national security agencies and the military. Even though strong
cryptographic algorithms are now in the public domain, governments
persist with restictive policies on the use and export of cryptography
products.
Until the cryptography policy debate is resolved, privacy and security on
the Internet remain hostage to outdated regulations from the Cold War era
that threaten privacy and security online.

This page provides an update on the state of play of Crypto Politics in:

The References section provides links to sources of
additional information.

Australia

Australian Crypto Export Restrictions

Australian regulations ban cryptography exports, claiming
responsibilities as a party to the
Wassenaar Arrangement.
However, an export license can be obtained on application to the Department of
Defence.
The conditions of such a license are not openly stated, and at least
one Australian software company has been refused a license. Even
public domain software such as PGP requires a license, since Australia does
not acknowledge the General Software Note waiver under the Wassenaar
Arrangement, which is allowed in most countries to permit the export
of mass market and public domain crypto software.

In August 1998, EFA released a Cryptography FAQ (Frequently
Asked Questions) concerning Australian crypto policy. This FAQ exposes
the reality of Australian controls over encryption, much of which is
information that is not widely known.

The government approach to crypto policy generally in Australia is very
much along the lines of US policy. Although key escrow has been raised as an
issue in some circles here, it has not formed part of any government policy as
yet. However, it is known the Defence Signals Directorate, which evaluates
export license applications, encourages applicants who are able to
provide key escrow or key recovery facilities in their products.

With the development of extensive electronic commerce networks, this issue has a commercial security dimension as well. Encryption technology is essential to electronic commerce. Transactions will not be initiated unless people are confident that personal and financial information is protected from unauthorised interception. Heavy-handed attempts to ban strong encryption techniques will compromise commercial security, discouraging online service industries (particularly in the financial sector) from adopting Australia as a domicile. This would result in a substantial economic loss to the country.

In July 1998, EFA launched a campaign aimed at bringing the crypto
controls debate into the public arena. See the
Campaign page for more information.

In December 1998 the 33 Wassenaar signatory nations, meeting in Vienna
in plenary session, agreed to
new controls over the export of mass market software.
In June 1999, Australia issued a new Defence and Strategic Goods List (DSGL)
as a result of the Wassenaar changes. The new list appears to incorporate the
1998 Wassenaar list verbatim.

The Walsh Report

This report has
was released by EFA in 1997 after we obtained
it under a Freedom of Information Act application. A brief history follows:

In February 1997, the Commonwealth Attorney-General's Department put a
hold on the public release of
the Walsh Report, an important review of cryptography
policy.

The report, entitled Review of policy relating to encryption
technologies, is the outcome of a study
conducted in 1996 by Gerard Walsh, a former deputy director-general of
ASIO. Publication of the report was eagerly awaited by members of the
law enforcement community, other government departments, commerce, and
the online community. It was expected that the report would examine the
the various issues in the crypotography debate and encourage further
comment and consultation.

The report was listed for sale by the Australian Government
Publishing Service in January 1997, but was hurriedly withdrawn from
the list 3 weeks later, following EFA's enquiry as to why it was listed
yet unobtainable from AGPS outlets.
The original intention was to allow for a 3-month
consultation period for public comment. EFA then released a
Media Statement calling for the release of the report.

In March 1997, EFA lodged an FOI request for a copy of the report. This was
initially denied but a censored version of the report was subsequently
released after a request for review of the original decision was lodged.
The report was then published online by EFA.

In January 1999, a complete copy of the report was obtained, allowing
a unique opportunity to examine the censored sections in the
original release. The full publication was then
made available online with the
censored sections highlighted in red.

This is an important review of encryption policy which has generated international
interest. It takes a balanced look at the issues and casts strong doubts on
the workability and desirability of key escrow/key recovery policies.

OECD

On 27 March 1997 the Organization for Economic Cooperation and Development (OECD)
released Cryptography Policy
Guidelines. The guidelines reject key escrow and recommend voluntary,
market driven development of crypto products. The OECD member countries also
emphasized privacy protection, user confidence, and recommended removal of
restrictions on cryptography. The
Media Release announcing the guidelines contains additional explanatory
information. Although the OECD has no formal authority, it is hoped that the guidelines
will allow the development of a unified international framework for the use of cryptography.

The Australian Government announced in the Prime Minister's industry
statement of December 1997 that it would be adopting the
OECD guidelines.

In September 1996, EPIC and other groups sponsored a
conference to educate
the OECD on the public and technical views on cryptography policy.

Immediately prior to this conference, EFA joined many of the world's leading human and cyber
rights organizations in signing a
resolution supporting
unresticted use of cryptography.
The resolution notes that the use of cryptography implicates human rights and
matters of personal liberty that affect individuals around the world, and that the privacy of
communication is explicitly protected by Article 12 of the Universal Declaration of Human Rights,
Article 17 of the International Covenant on Civil and Political Rights.

USA

The US government has been one of the world's strongest proponents of
tight restrictions on cryptography, and has pushed strongly for various
Key Escrow proposals (widely known as Clipper after the initial
proposal for a Clipper chip which incorporated a built-in
government-mandated key escrow feature). The US government has also strongly
resisted demands from business and the software industry for loosening of
cryptography export controls, which are among the most restrictive in the
world.

New US Export Regulations

On December 30, 1996 the White House released
new regulations on the export of cryptography, although many claim that
they differ little from the previous restrictions. Jurisdiction for
controls has been moved from the State Department to the Commerce Department.
Key escrow and key recovery products are given favourable treatment under
this policy. Several companies have now obtained licenses under these
new regulations, including one company which has been permitted to export
a product using a 128-bit key, for an application limited to the transfer
of specific financial information.

Bernstein Challenge on Constitutional Grounds

On December 18, US District Court Judge Patel ruled in the
Bernstein case that current restrictions on exports
of cryptography violate the First Amendment.
On December 30, Professor Bernstein asked the Government
to agree to delay enforcement of the new regulations while Judge Patel
reviews them for Constitutionality. Failing that, Bernstein
asked the court for a temporary restraining order to block
their enforcement.

Karn Challenge to Export Regulations

In another challenge to US export restrictions on algorithms,
oral arguments in the
Karn V. State case were heard by the US Court of Appeals for the DC
Circuit in January 1997.
EPIC, ACLU, the Internet Society and USACM filed an
Amicus brief supporting free use of cryptography.

Proposed Congress Bill

On January 28 1997, Senators Conrad Burns, Patrick Leahy, and Ron Wyden
announced that they will re-introduce the
Promotion of Commerce Online in the Digital Era (Pro-CODE) bill.
The bill, which attracted significant bi-partisan support last year, would
relax exports controls on encryption technologies and promote the widespread
availability of strong, easy-to-use privacy and security technologies.

The Government invited comments on this paper
and the major cyber-rights organisations around the world, including EFA,
published a
press release and letter to DTI protesting about the proposal.

In July 1998, DTI published an
Industry White Paper on Export Controls which proposes to extend
export controls to include intangibles (see section 3.2). This
proposal has attracted a great deal of opposition, particularly from
the UK crypto research community.

Statements on Cryptography Policy by various organisations

Almost all major national and international organisations involved in the
information industry have publicly supported the relaxation of strict
controls over the use and export of encryption products.
Among these are: